--- controls: version: "k3s-cis-1.7" id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" audit: "check_for_k3s_etcd.sh 2.1" tests: bin_op: and test_items: - flag: "cert-file" env: "ETCD_CERT_FILE" set: true - flag: "key-file" env: "ETCD_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --cert-file= --key-file= scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" audit: "check_for_k3s_etcd.sh 2.2" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true set: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --client-cert-auth="true" scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" audit: "check_for_k3s_etcd.sh 2.3" tests: bin_op: or test_items: - flag: "--auto-tls" env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" env: "ETCD_AUTO_TLS" compare: op: eq value: false remediation: | Edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" audit: "check_for_k3s_etcd.sh 2.4" tests: bin_op: and test_items: - flag: "cert-file" env: "ETCD_PEER_CERT_FILE" set: true - flag: "key-file" env: "ETCD_PEER_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. --peer-client-file= --peer-key-file= scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" audit: "check_for_k3s_etcd.sh 2.5" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true set: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --peer-client-cert-auth=true scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" audit: "check_for_k3s_etcd.sh 2.6" tests: bin_op: or test_items: - flag: "--peer-auto-tls" env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false set: true remediation: | Edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" audit: "check_for_k3s_etcd.sh 2.7" tests: test_items: - flag: "trusted-ca-file" env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --trusted-ca-file= scored: false